DevOpsSec: Building CI/CD with Security Teams

DevOpsSec: Building CI/CD with Security Teams Shawn Wells Chief Security Strategist Red Hat Pubic Sector shawn@redhat.com || 443-534-0130

NDA REQUIRED | JIM TYRRELL

RELEASES PER YEAR 1/day 1/hour

INTRO TO CI/CD dev 9 source repository https://www.youtube.com/watch?v=65BnTLcDAJI CI/CD engine container

INTRO TO CI/CD 10 https://www.youtube.com/watch?v=65BnTLcDAJI

Meanwhile, in Government: FISMA from an earlier era 11 ● Written in 2003-2004 ● Pre GovCloud, C2S, MilCloud ● Pre DevOps, Infrastructure as Code ● Multi-year dev/ship cycles common ● Waterfall dominant ● IT was more manual a decade ago

Meanwhile, in Government: FISMA from an earlier era https://www.telos.com/assets/Telos-AWS-white-paper.pdf 12

DevOps + Security 13

Layered Packaging: Separation of Concerns Operations 14 Architects Application developers

Registries: Where do you get your containers? Public and Private Registries CONTAINER ● What security meta-data is available for your images? ● APP ● RUNTIME ● ● 15 Are the images updated regularly? Are there access controls in the registry? How strong are they? OS HOST OS Red Hat Container Registry Policies to control who can deploy which containers ● Certification Catalog ● Trusted content with security updates CONTAINER APP RUNTIME OS HOST OS

Container Contents Matter You need to know … ● ● ● 16 CONTAINER Will what’s inside your container compromise your infrastructure? APPLICATION Are there known vulnerabilities in the application layer? RUNTIME Are the runtime and operating system layers up to date? OS

Community created portfolio of tools and content to assess systems for known vulnerabilities. https://github.com/NSAgov Or direct: https://github.com/OpenSCAP 17

https://github.com/nsagov 18

RHEL7 STIG content, rebased in RHEL 7.3: ● ● 6,180 commits from 95 people 441,055 lines of code Shipping in RHEL 7: ● Intelligence Community: C2S and CS2 ● DoD: RHEL7 Vendor STIG ● Civilian: USGCB/OSPP ● Justice: FBI Criminal Justice Info. Systems (FBI CJIS) OpenSCAP interpreter contains: ● ● 6,811 commits from 74 people 157,775 lines of code “Security Button” RHEL7 Installer: ● 19 6 people, 90 days

20

Atomic Scan Enables multiple container scanners Red Hat container scanning CONTAINER API RED HAT SCANNING INTERFACE 21

Example Pipeline 22

demos!

Thank You

Contact Info LinkedIn: https://www.linkedin.com/in/shawndwells/ EMail: shawn@redhat.com Cell: 443-534-0130 (US EST) Blog: https://shawnwells.io OpenSCAP Slides + Videos: https://github.com/OpenSCAP/scap-security-guide/wiki/Collateral-and-References 25